Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix for issue 1798 #2528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 10, 2011
Merged

Fix for issue 1798 #2528

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
348bccb
Clear session cookie if user was deleted, is disabled or locked to pr…
snc Oct 31, 2011
f9befb6
Remove only the security token instead of the session cookie.
snc Nov 1, 2011
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@
use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
use Symfony\Component\Security\Core\Exception\AccountStatusException;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
Expand Down Expand Up @@ -158,6 +160,12 @@ private function startAuthentication(Request $request, AuthenticationException $

$this->setTargetPath($request);

if ($authException instanceof AccountStatusException && ($token = $this->context->getToken()) instanceof UsernamePasswordToken) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why restricting this behavior to UsernamePasswordToken tokens?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's because the issue should only occur if the firewall tries to reload the user and this can only be done if there is a username.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@snc all token contain a user and all listeners reload the user (a listener not doing it would be an issue if an admin locked the user for instance, and thus it would be a detached Doctrine entity causing many WTF).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stof I rechecked why I used UsernamePasswordToken, it is the parent class which contains the providerKey which is needed to get the name of the session variable.

// remove the security token to prevent infinite redirect loops
$this->context->setToken(null);
$request->getSession()->remove('_security_' . $token->getProviderKey());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The session is not always enabled. That should be checked first.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe the issue can only occur if the session is enabled, else the AccountStatusException would not be thrown. Should we still check for it?

}

return $this->authenticationEntryPoint->start($request, $authException);
}

Expand Down